Why? The real performance impact is close to zero but the risk of these vulnerabilities is too high.

I'll want to wait for a while and see more analysis before I agree with either of these claims, especially knowing how security flaws tend to be exaggerated. Then again, performance differences also tend to be exaggerated.

No update for Sandy Bridge surprises me because they produced ME updates for Arandale about 6 months ago.

Regardless I will patch my Windows 7 and still only run Javascript on trusted and necessary sites. Maybe some firewall rules for for add on utilities wouldn't go astray.

The Meltdown bug is fixed by software update but Spectre needs CPU microcode update as well (and it is still question whether it can be fixed by that). Browsers already have fixes to prevent JavaScript attack so the NoScript addon is probably overkill now. I asked in Intel forum whether there will be a Sandy Bridge microcode update provided by Intel at all. Microsoft can also deliver CPU microcode update (it's being updated upon every boot) or there is VMware CPU Microcode Update Driver in the worst case.

I plan to build new PC desktop machine based on AMD Ryzen but still waiting for new generation with integrated GPU to prevent fan noise of video card. Then I'll retire my X220.

Still does not answer how serious the risks are and how much performance we are sacrificing to mitigate these theoretical risks. Probably, like with most of these - there will never be a straight answer given in a way the general public can understand; everyone will just subscribe to the FUD and install the "mitigation" patches, and even years from now we will have people giving out "words of wisdom" saying that you should not use your pre-Haswell CPU on the internet, because it's "unsafe" (read "basically broken, may as well give everyone the key to your front door").

I guess Intel will release CPU microcode fix for 2nd gen Sandy Bridge as well. It is just Lenovo that won't bother to create a new BIOS version so it is up to Microsoft to deliver the updated CPU microcode on Windows boot.

Intel will take a hit to its credibility and reputation over these latest exploits and it makes one wonder how long it has really known about these latest exploits.
Leaving many current systems unpatched and exposed would only prolong and amplify the current sentiment. Intel should tidy up their own mess to quarantine this mess.

Intel will take a hit to its credibility and reputation over these latest exploits and it makes one wonder how long it has really known about these latest exploits.

Probably since they were first reported to them, some time last year. As you can understand from reading all the technical documentation released so far, the techniques required to create these exploits are not trivial by any stretch of imagination.

There is always the class of people who are willing to take advantage of anything making sufficient noise in the media to try to sneak in a 'class action' and win a whole lot of money that they don't deserve. The US judicial system seems to be particularly geared towards that sort of thing.

But any such suit will probably be thrown out almost immediately. There is no basis. Flaws in technology are found and fixed all the time. There is no malicious intent here, and no case of negligence (unless you can prove that CPU vendors had known about these risks for a long time, which you probably cannot, since it's probably untrue).

As you can understand from reading all the technical documentation released so far, the techniques required to create these exploits are not trivial by any stretch of imagination.

But given the amount of machines affected and complicated path to protect them (BIOS update etc.), it is very very tempting to create such exploit. For Meltdown it is known and will be published later, as stated here https://twitter.com/misc0110/status/948706387491786752

We'll see how practical it is when it's published. It can very well be a tailored example to prove a point, not something you can actually work with. He does claim that they will release the PoC and we can try it ourselves, so I'll gladly wait for it.

To steal passwords typed in real-time, installing a keylogger is probably 10 million times easier, and requires no special knowledge of any vulnerabilities of any CPUs.

To steal passwords typed in real-time, installing a keylogger is probably 10 million times easier, and requires no special knowledge of any vulnerabilities of any CPUs.

Installing keylogger on properly secured machine is much more complicated than run a malicious JavaScript in browser you can't detect easily. Using NoScript is rather torture and does not provide more protection anyway because a "good location" script can be compromised as well, typical it happens to many ad scripts here and there.

So you just run a malicious Javascript that installs a keylogger. It's probably far simpler to write (using one of the multiple malware deployment platforms available) than a malicious script to execute precise side-channel attacks. Plenty of people run using local admin accounts with automatic elevation of privileges, bad idea as it may be.

No, both vulnerabilities are not able to install anything, at least according today knowledge. They can silently read data from the process address space, that means typed and saved passwords in browser, as long as the browser tab with malicious script is open.

No update for Sandy Bridge surprises me because they produced ME updates for Arandale about 6 months ago.

Regardless I will patch my Windows 7 and still only run Javascript on trusted and necessary sites. Maybe some firewall rules for for add on utilities wouldn't go astray.

The Meltdown bug is fixed by software update but Spectre needs CPU microcode update as well (and it is still question whether it can be fixed by that). Browsers already have fixes to prevent JavaScript attack so the NoScript addon is probably overkill now. I asked in Intel forum whether there will be a Sandy Bridge microcode update provided by Intel at all. Microsoft can also deliver CPU microcode update (it's being updated upon every boot) or there is VMware CPU Microcode Update Driver in the worst case.

I plan to build new PC desktop machine based on AMD Ryzen but still waiting for new generation with integrated GPU to prevent fan noise of video card. Then I'll retire my X220.

How long should we wait before going down the VMWare Microcode Update Driver route? Has anybody tried it before?

Withdrawn CPU Microcode Updates: Intel provides to Lenovo the CPU microcode updates required to address Variant 2, which Lenovo then incorporates into BIOS/UEFI firmware. Intel recently notified Lenovo of quality issues in two of these microcode updates, and concerns about one more. These are marked in the product tables with “Earlier update X withdrawn by Intel” and a footnote reference to one of the following:

*1 – (Kaby Lake U/Y, U23e, H/S/X) Symptom: Intermittent system hang during system sleep (S3) cycling. If you have already applied the firmware update and experience hangs during sleep/wake, please flash back to the previous BIOS/UEFI level, or disable sleep (S3) mode on your system; and then apply the improved update when it becomes available. If you have not already applied the update, please wait until the improved firmware level is available.

*2 – (Broadwell E) Symptom: Intermittent blue screen during system restart. If you have already applied the update, Intel suggests continuing to use the firmware level until an improved one is available. If you have not applied the update, please wait until the improved firmware level is available.

*3 – (Broadwell E, H, U/Y; Haswell standard, Core Extreme, ULT) Symptom: Intel has received reports of unexpected page faults, which they are currently investigating. Out of an abundance of caution, Intel requested Lenovo to stop distributing this firmware.

This is good but I will be holding off on these patches for now and hopefully Arandale might follow. This is probably being driven by Intel who are scrambling to retrieve some respect from the industry.

Lenovo has changed BIOS update availability status for almost all devices to Target availability TBD from previous already particular date announced and many of them returned to Researching stage. It seems as patching the issue is more complex task than expected.

All the tool basically does is read your registry settings as these should report back the correct status.

There is no real magic there and it doesn't install on your system and is only very light at 123 kb. This tool probably doesn't differentiate between the I core and the dual cores and can't sense vulnerability.

AFAIK for your dual core machine you will only need the OS update for Meltdown and for Spectre you are not at risk.